FBI MONEYPAK VIRUS

[Awp264]

HELP!

Also, I dont have a boot disc, or any way to restore the computer. I tried to run safe mode with command prompt and type: rstrui.exe and before it loaded, the FBI screen popped up.

 

[Fiery]

Hi Awp264 and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 32 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a USB/flash drive.
</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>

 

[Awp264]

How do I "enter system recovery options"?

 

[Fiery]

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

 

[Awp264]

When I do that, all it does it ask what mode of windows I want, such as; safe mode, safe mode with networking, etc...

 

[Awp264]

And I dont have a recovery cd or anything. I bought the computer from my father in law, who redid the computer for us. He put windows 7 premium on it and I dont have any discs for it.

 

[Fiery]

Ok, your PC doesn't have system recovery environment installed. Please try the below.

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

[Awp264]

Thank you Fiery! Here is the info you requested...

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-06-2013
Ran by SYSTEM on 01-06-2013 16:13:20
Running from E:\
Windows 7 Home Premium (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.


ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [15960096 2009-03-06] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [82464 2009-03-06] (NVIDIA Corporation)
HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]
HKLM\...\Winlogon: [Shell] regsvr32 /n /i /s "C:\Users\Heather\AppData\Local\sjwsnt.jsc" [x ] () <=== ATTENTION
HKU\Heather\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [ 2013-03-29] (Valve Corporation)
HKU\Heather\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [ 2013-04-19] (Skype Technologies S.A.)
HKU\Heather\...\Run: [Yontoo Desktop] "C:\Users\Heather\AppData\Roaming\Yontoo\YontooDesktop.exe" [x]
HKU\Heather\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_171_ActiveX.exe -update activex [ 2013-03-09] (Adobe Systems Incorporated)
BootExecute: autocheck autochk * bootdelete

========================== Services (Whitelisted) =================

S2 AgereModemAudio; C:\Program Files\LSI SoftModem\agr64svc.exe [16896 2009-03-27] (LSI Corporation)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [44808 2012-10-30] (AVAST Software)
S4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42856 2010-11-20] (Microsoft Corporation)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [109352 2013-05-31] (SurfRight B.V.)
S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [856400 2010-11-20] (Microsoft Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation)
S3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [117144 2013-05-26] (Mozilla Foundation)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe [116560 2009-06-10] (Microsoft Corporation)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-13] (Microsoft Corporation)
S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3289208 2013-05-14] (Skype Technologies S.A.)
S2 SkypeUpdate; C:\Program Files (x86)\Skype\Updater\Updater.exe [161384 2013-02-28] (Skype Technologies)
S3 Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [489256 2012-11-19] (Valve Corporation)
S2 vToolbarUpdater15.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-05-31] (AVG Secure Search)
S2 WirelessUSB; C:\Program Files (x86)\CNet\Wireless LAN Driver and Utility\RtlService.exe [36864 2010-04-16] (Realtek)
S2 HitmanPro37CrusaderBoot; "E:\HitmanPro_x64.exe" /crusader:boot [x]

==================== Drivers (Whitelisted) ====================

S3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1208320 2009-06-11] (LSI Corporation)
S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-10-30] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [71600 2012-10-30] (AVAST Software)
S1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-10-15] (AVAST Software)
S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [984144 2012-10-30] (AVAST Software)
S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [370288 2012-10-30] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-10-30] (AVAST Software)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-05-31] (AVG Technologies)
S3 b06bdrv; C:\Windows\system32\drivers\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)
S3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 hitmanpro35; C:\Windows\system32\drivers\hitmanpro35.sys [23112 2013-03-24] ()
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-13] (Microsoft Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
S3 NVENETFD; C:\Windows\System32\DRIVERS\nvm62x64.sys [408960 2009-06-10] (NVIDIA Corporation)
S3 RTL8192cu; C:\Windows\System32\DRIVERS\RTL8192cu.sys [848384 2011-02-10] (Realtek Semiconductor Corporation )
S3 RTL85n64; C:\Windows\System32\DRIVERS\RTL85n64.sys [2061856 2010-03-23] (Realtek Semiconductor Corporation )

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-01 16:13 - 2013-06-01 16:13 - 00000000 ____D C:\FRST
2013-05-31 22:02 - 2013-05-31 22:02 - 00000000 ____D C:\Windows\SysWOW64\cache
2013-05-31 20:00 - 2013-05-31 20:01 - 00003725 ____A C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
2013-05-29 00:21 - 2013-05-29 00:21 - 304158412 ____A C:\Windows\MEMORY.DMP
2013-05-29 00:21 - 2013-05-29 00:21 - 00000000 ____D C:\Windows\Minidump
2013-05-28 23:48 - 2013-05-28 23:48 - 00318322 ____A C:\Windows\System32\HitmanPro_20130528_2348.log
2013-05-28 21:55 - 2013-05-31 20:43 - 00001821 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2013-05-28 21:55 - 2013-05-31 20:43 - 00000000 ____D C:\Program Files\HitmanPro
2013-05-27 11:12 - 2013-05-27 11:12 - 00100352 ____A (G<o) C:\Users\Heather\AppData\Local\sjwsnt.jsc
2013-05-26 22:10 - 2013-05-27 00:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-26 19:13 - 2013-05-26 19:13 - 00000000 ____D C:\Users\Heather\AppData\Local\Macromedia
2013-05-17 23:35 - 2013-05-17 23:35 - 00017249 ____A C:\Users\Heather\Desktop\Price Budget.ods
2013-05-17 10:10 - 2013-02-27 02:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-17 10:10 - 2013-02-27 01:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-17 10:10 - 2013-02-27 01:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-17 10:10 - 2013-02-27 01:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-17 10:10 - 2013-02-27 01:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-17 10:10 - 2013-02-27 00:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-17 10:10 - 2013-02-27 00:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-17 10:10 - 2013-02-27 00:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-17 10:07 - 2013-04-10 02:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-17 10:07 - 2013-04-10 02:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-17 10:07 - 2011-02-03 07:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-17 09:26 - 2013-04-05 02:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-17 09:26 - 2013-04-05 02:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-17 09:26 - 2013-04-05 02:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-17 09:26 - 2013-04-05 02:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-05-17 09:26 - 2013-04-05 02:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-05-17 09:26 - 2013-04-05 02:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-05-17 09:26 - 2013-04-05 01:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-17 09:26 - 2013-04-05 01:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-17 09:26 - 2013-04-05 01:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-05-17 09:26 - 2013-04-05 01:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-05-17 09:26 - 2013-04-05 01:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-05-17 09:26 - 2013-04-05 00:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-17 09:26 - 2013-04-05 00:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-17 09:26 - 2013-04-04 23:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-17 09:26 - 2013-04-04 23:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-05-17 09:25 - 2013-04-05 02:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-17 09:25 - 2013-04-05 02:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-17 09:25 - 2013-04-05 02:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-17 09:25 - 2013-04-05 02:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-17 09:25 - 2013-04-05 02:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-17 09:25 - 2013-04-05 02:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-17 09:25 - 2013-04-05 02:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-17 09:25 - 2013-04-05 02:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-17 09:25 - 2013-04-05 01:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-17 09:25 - 2013-04-05 01:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-17 09:25 - 2013-04-05 01:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-17 09:25 - 2013-04-05 01:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-17 09:25 - 2013-04-05 01:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-17 09:25 - 2013-04-05 01:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-17 09:25 - 2013-04-05 01:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-17 09:25 - 2013-04-05 01:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-16 21:48 - 2013-04-09 23:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-16 21:48 - 2013-03-19 01:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-16 21:48 - 2013-03-19 01:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-16 21:14 - 2013-05-16 21:14 - 00001113 ____A C:\Users\Heather\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-08 18:06 - 2013-05-08 18:06 - 00018009 ____A C:\Users\Heather\Documents\Adam REsume.odt
2013-05-07 19:44 - 2013-05-07 19:44 - 00000193 ____A C:\Windows\WORDPAD.INI
2013-05-03 21:41 - 2013-05-27 11:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-03 21:41 - 2013-05-27 01:17 - 00000456 ___AH C:\Windows\Tasks\Norton Security Scan for Heather.job
2013-05-03 21:41 - 2013-05-03 21:42 - 00000000 ____D C:\Users\Heather\AppData\Roaming\Mozilla
2013-05-03 21:41 - 2013-05-03 21:41 - 00001457 ____A C:\Users\Public\Desktop\Norton Security Scan.LNK
2013-05-03 21:41 - 2013-05-03 21:41 - 00001151 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-05-03 21:41 - 2013-05-03 21:41 - 00000000 ____D C:\Windows\System32\Drivers\NSSx64
2013-05-03 21:41 - 2013-05-03 21:41 - 00000000 ____D C:\Users\Heather\AppData\Local\Mozilla
2013-05-03 21:41 - 2013-05-03 21:41 - 00000000 ____D C:\Program Files (x86)\Norton Security Scan
2013-05-03 21:40 - 2013-05-03 21:40 - 00000000 ____D C:\Users\Heather\AppData\Local\Google
2013-05-03 21:35 - 2013-05-03 21:35 - 00000000 ____D C:\Users\Heather\AppData\Local\AVG SafeGuard toolbar
2013-05-03 21:34 - 2013-05-31 20:00 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar
2013-05-03 21:34 - 2013-05-31 19:58 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-05-03 21:33 - 2013-05-26 23:56 - 00000000 ____D C:\Users\Heather\AppData\Roaming\Yontoo
2013-05-03 21:33 - 2013-05-03 21:40 - 21041840 ____A (Mozilla) C:\Users\Heather\Downloads\Firefox_Setup_20.0 [1].exe

==================== One Month Modified Files and Folders ========

2013-06-01 16:13 - 2013-06-01 16:13 - 00000000 ____D C:\FRST
2013-06-01 00:55 - 2013-03-08 23:27 - 00017408 ____A C:\Windows\System32\rpcnetp.exe
2013-06-01 00:41 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-01 00:41 - 2009-07-14 00:51 - 00033618 ____A C:\Windows\setupact.log
2013-05-31 23:12 - 2009-07-14 00:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-31 23:12 - 2009-07-14 00:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-31 23:04 - 2013-03-31 15:31 - 00000418 ____A C:\Windows\Tasks\Quick PC Booster64 startups.job
2013-05-31 23:04 - 2013-03-09 09:39 - 00000328 ____A C:\Windows\Tasks\GlaryInitialize.job
2013-05-31 22:48 - 2013-03-08 23:31 - 01391301 ____A C:\Windows\WindowsUpdate.log
2013-05-31 22:43 - 2013-03-16 07:44 - 00001616 ____A C:\Windows\System32\.crusader
2013-05-31 22:07 - 2009-07-13 23:20 - 00000000 ___RD C:\Program Files (x86)
2013-05-31 22:02 - 2013-05-31 22:02 - 00000000 ____D C:\Windows\SysWOW64\cache
2013-05-31 22:02 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64
2013-05-31 20:43 - 2013-05-28 21:55 - 00001821 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2013-05-31 20:43 - 2013-05-28 21:55 - 00000000 ____D C:\Program Files\HitmanPro
2013-05-31 20:01 - 2013-05-31 20:00 - 00003725 ____A C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
2013-05-31 20:00 - 2013-05-03 21:34 - 00000000 ____D C:\Program Files (x86)\AVG SafeGuard toolbar
2013-05-31 19:58 - 2013-05-03 21:34 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-05-29 00:21 - 2013-05-29 00:21 - 304158412 ____A C:\Windows\MEMORY.DMP
2013-05-29 00:21 - 2013-05-29 00:21 - 00000000 ____D C:\Windows\Minidump
2013-05-28 23:48 - 2013-05-28 23:48 - 00318322 ____A C:\Windows\System32\HitmanPro_20130528_2348.log
2013-05-28 22:50 - 2009-07-14 01:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-27 12:05 - 2009-07-14 00:45 - 00024576 ____A C:\Windows\System32\umstartup.etl
2013-05-27 11:27 - 2013-05-03 21:41 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-05-27 11:27 - 2010-11-20 23:47 - 00058664 ____A C:\Windows\PFRO.log
2013-05-27 11:12 - 2013-05-27 11:12 - 00100352 ____A (G<o) C:\Users\Heather\AppData\Local\sjwsnt.jsc
2013-05-27 01:17 - 2013-05-03 21:41 - 00000456 ___AH C:\Windows\Tasks\Norton Security Scan for Heather.job
2013-05-27 00:29 - 2013-05-26 22:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-05-26 23:56 - 2013-05-03 21:33 - 00000000 ____D C:\Users\Heather\AppData\Roaming\Yontoo
2013-05-26 22:31 - 2013-04-22 11:47 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-05-26 21:15 - 2013-04-22 11:48 - 00000000 ____D C:\Users\Heather\AppData\Roaming\Skype
2013-05-26 19:13 - 2013-05-26 19:13 - 00000000 ____D C:\Users\Heather\AppData\Local\Macromedia
2013-05-26 19:13 - 2013-03-09 19:03 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-26 19:13 - 2013-03-09 19:03 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-22 11:08 - 2013-04-06 14:29 - 00000000 ____D C:\Program Files (x86)\Steam
2013-05-19 22:19 - 2013-03-24 09:04 - 00000000 ____D C:\Users\Heather\AppData\Roaming\BitTorrent
2013-05-18 23:53 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\System32\NDF
2013-05-17 23:35 - 2013-05-17 23:35 - 00017249 ____A C:\Users\Heather\Desktop\Price Budget.ods
2013-05-17 12:45 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Microsoft.NET
2013-05-17 09:39 - 2009-07-14 00:45 - 00300232 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-16 21:14 - 2013-05-16 21:14 - 00001113 ____A C:\Users\Heather\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-16 11:46 - 2013-03-09 09:18 - 00000000 ___RD C:\Users\Heather\Desktop\Unused Desktop Icons
2013-05-16 09:16 - 2013-03-09 07:52 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-08 18:06 - 2013-05-08 18:06 - 00018009 ____A C:\Users\Heather\Documents\Adam REsume.odt
2013-05-07 19:44 - 2013-05-07 19:44 - 00000193 ____A C:\Windows\WORDPAD.INI
2013-05-05 21:22 - 2013-03-31 16:56 - 00000000 ____D C:\Users\Heather\AppData\Local\Microsoft Games
2013-05-03 21:42 - 2013-05-03 21:41 - 00000000 ____D C:\Users\Heather\AppData\Roaming\Mozilla
2013-05-03 21:41 - 2013-05-03 21:41 - 00001457 ____A C:\Users\Public\Desktop\Norton Security Scan.LNK
2013-05-03 21:41 - 2013-05-03 21:41 - 00001151 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-05-03 21:41 - 2013-05-03 21:41 - 00000000 ____D C:\Windows\System32\Drivers\NSSx64
2013-05-03 21:41 - 2013-05-03 21:41 - 00000000 ____D C:\Users\Heather\AppData\Local\Mozilla
2013-05-03 21:41 - 2013-05-03 21:41 - 00000000 ____D C:\Program Files (x86)\Norton Security Scan
2013-05-03 21:40 - 2013-05-03 21:40 - 00000000 ____D C:\Users\Heather\AppData\Local\Google
2013-05-03 21:40 - 2013-05-03 21:33 - 21041840 ____A (Mozilla) C:\Users\Heather\Downloads\Firefox_Setup_20.0 [1].exe
2013-05-03 21:35 - 2013-05-03 21:35 - 00000000 ____D C:\Users\Heather\AppData\Local\AVG SafeGuard toolbar
2013-05-02 02:06 - 2010-11-20 23:27 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2013-03-08 23:11] - [2011-02-25 02:19] - 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3

C:\Windows\System32\winlogon.exe
[2010-11-20 23:24] - [2010-11-20 23:24] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Windows\System32\wininit.exe
[2009-07-13 19:52] - [2009-07-13 21:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA

C:\Windows\System32\svchost.exe
[2009-07-13 19:31] - [2009-07-13 21:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D

C:\Windows\System32\services.exe
[2009-07-13 19:19] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\User32.dll
[2010-11-20 23:24] - [2010-11-20 23:24] - 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B

C:\Windows\System32\userinit.exe
[2010-11-20 23:24] - [2010-11-20 23:24] - 0030720 ____A (Microsoft Corporation) BAFE84E637BF7388C96EF48D4D3FDD53

C:\Windows\System32\Drivers\volsnap.sys
[2010-11-20 23:23] - [2010-11-20 23:23] - 0295808 ____A (Microsoft Corporation) 0D08D2F3B3FF84E433346669B5E0F639


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-22 21:11:04
Restore point made on: 2013-05-28 22:55:13

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 2686.6 MB
Available physical RAM: 2394.07 MB
Total Pagefile: 2513.46 MB
Available Pagefile: 2442.43 MB
Total Virtual: 2047.88 MB
Available Virtual: 1991.55 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:55.79 GB) (Free:24.28 GB) NTFS
Drive e: (PRICEJDRIVE) (Removable) (Total:3.71 GB) (Free:3.71 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 56 GB) (Disk ID: 14CB14CB)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=56 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: FC3F57BF)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)


Last Boot: 2013-04-04 13:10

==================== End Of Log ============================

 

[Fiery]

Hi,

On another PC, Open notepad and copy & paste the following:

start
HKLM\...\Winlogon: [Shell] regsvr32 /n /i /s "C:\Users\Heather\AppData\Local\sjwsnt.jsc" [x ] () <=== ATTENTION
C:\Users\Heather\AppData\Local\sjwsnt.jsc
HKU\Heather\...\Run: [Yontoo Desktop] "C:\Users\Heather\AppData\Roaming\Yontoo\YontooDesktop.exe" [x]
2013-06-01 00:55 - 2013-03-08 23:27 - 00017408 ____A C:\Windows\System32\rpcnetp.exe
2013-05-26 23:56 - 2013-05-03 21:33 - 00000000 ____D C:\Users\Heather\AppData\Roaming\Yontoo
end

and save it as fixlist.txt onto your flash drive.

Then, boot to OTLPE, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally. If successful,

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[Awp264]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-06-2013
Ran by SYSTEM at 2013-06-01 17:03:48 Run:1
Running from E:\
Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
C:\Users\Heather\AppData\Local\sjwsnt.jsc => Moved successfully.
HKEY_USERS\Heather\Software\Microsoft\Windows\CurrentVersion\Run\\Yontoo Desktop => Value deleted successfully.
C:\Windows\System32\rpcnetp.exe => Moved successfully.
C:\Users\Heather\AppData\Roaming\Yontoo => Moved successfully.

==== End of Fixlog ====

 

[Fiery]

are you able to boot normally?

 

[Awp264]

Yes! WooHoo! Youre awesome! Thank you soo much!!

 

[Awp264]

Currently running Rootkit.

 

[Awp264]

So, from now on, is there a progam, or progams that I should run on a regular basis? I have hitmanpro now for a year.. will it do? or should i run malware?

 

[Fiery]

Although you can boot normally, there may still be malware present so there will be a couple more scans to follow.

You need real-time protection. Malwarebytes is mainly used as an on-demand scanner. I will provide a full list of recommendations once we have finished the removal process

 

[Awp264]

It says, "Congratulations, no malware was found."

 

[Awp264]

I also have Avast! virus protection.

 

[Fiery]

Good

Please download Malwarebytes' Anti-Malware from here to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt